A couple of weeks ago we had a couple of extensions compromised and since then I have made it my mission to secure our box as far as I can. fail2ban, ipset, voipbl and very strong passwords and monitoring our CDR and “SIP registration” logs for strange IP’s has become part of my daily routine.
I have however noted a number of logs which appears to come from a “sip scanner” referring to Destination “s[from-sip-external]” - Logically I assume this is another SIP server dialing our SIP server but I am curious:
- What are the attacker trying to achieve? Are they scanning for extensions our possible open routes?
- What can I do (if anything) to avoid / stop this? We make use of 2 outbound providers to dial through and our phones unfortunately do not register from a static IP so I cannot fully “lock” the server down to a select set of IP’s
- My understanding is that someone can make outbound calls by dialing and having an extension answered (I guess voicemail as well), then press # twice followed by a number and then they can make external calls through an extension. Is this something we can block?
I have already disabled voicemail on all of our extensions just in case